SP-API api sandbox always returns 403 Forbidden status code


#1

We are trying to get access to the SP-API sandbox. No matter what, we always get a 403 status code response. We have tried Amazon internal support, but they simply link to the documentation.

Here is an example request we are making:

curl --location --request GET 'https://sandbox.sellingpartnerapi-na.amazon.com/orders/v0/orders?CreatedAfter=TEST_CASE_200_NEXT_TOKEN&MarketplaceIds=ATVPDKIKX0DER' \
--header 'x-amz-access-token: <ACCESS TOKEN HERE>' \
--header 'X-Amz-Security-Token: <POSTMAN GENERATED TOKEN>' \
--header 'X-Amz-Date: <POSTMAN GENERATED DATE>' \
--header 'Authorization: <POSTMAN GENERATED AUTH TOKEN>'

RESPONSE:
403 Forbidden
{
    "errors": [
        {
            "message": "Access to requested resource is denied.",
            "code": "Unauthorized",
            "details": ""
        }
    ]
}

Our process is as follows:

  1. Authorize app in Developer Central to get a refresh token
  2. Use that refresh token and the app’s client id/secret to get an access token
  3. Hit the sts.amazonaws.com endpoint with our IAM access/secret key to assume the role with the attached policy (aws region us-east-1 and service name sts)
  4. Take the AccessKeyId, SecretAccessKey, and SessionToken returned from the sts request and (using postman) construct a request to the sandbox (sandbox.sellingpartnerapi-na) using the access token retrieved in step 2 for the x-amz-access-token

If a token expires or is incorrect, we get applicable error responses so we’ve eliminated that as an issue.


Now for a relevant tangent:

Unfortunately, while we do have a Developer Profile and current applications, our Seller Central profile is deactivated/suspended. Could this be the reason for our 403?

We have tried creating a new Seller Central account and Developer Profile, but were denied on the basis that we have an existing account. So, if a deactivated account cannot hit the sandbox, and we cannot create a new account because of the existing (deactivated) account, we find ourselves in a catch 22. Side note: we are regularly audited by Amazon and meet all security requirements.


Questions:

  • Can we make requests to the SP-API sandbox with a Seller Central Account that has been deactivated?
    • If so, why are we receiving the “Access to requested resource is denied.” error (without any details) if our requests match the documentation exactly?

    • If not, is it possible to migrate to a new Seller Central account and Developer Profile?


#2

I believe API credentials are restricted when your seller account is suspended.

You cannot create a new account as the new account will be linked to the suspended account and it will be suspended. Your only option is to get your current account in good standing.